Installing GnuPG 2.1.4 in Debian Experimental
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Mon Jun 15 19:33:06 CEST 2015
On Fri 2015-06-12 23:37:30 -0400, Rex Kneisley wrote:
> I blatantly disregarded their warning: “if you are running Debian, it
> is strongly suggested to use a package manager like aptitude
> <https://packages.debian.org/jessie/aptitude> or synaptic
> <https://packages.debian.org/jessie/synaptic> to download and install
> packages, instead of doing so manually via this website."
> I addition to that, although the site is “https” and looks “official”
> enough, there are no hashes or signatures provided.
while https://packages.debian.org/ is https, the mirrors it points to
are cleartext http. And indeed, debian has little control over the
mirrors we link to, since they're provided by (hopefully friendly) third
the recommended way to verify packages is by using apt.
> Moving to “stretch” seems the most strait-forward way of achieving my
> goal of running GnuPG version 2.1.x. But doen't that also
> automatically download and install “testing” versions of other
> packages that I am not interested in?
yes, it would. This is a tradeoff between running "stable" and running
> Will running "apt-get install update && apt-get install dist-upgrade”
> on my system, in it’s current state, overwrite libassuan0 with an earlier version?
no, apt does not downgrade by default.
> Is it too late to try to move to “stretch”?
no, upgrades from stable to testing are usually something that works
fine (with the caveat being the lower stability of the testing distro).
> Thank you for all of your help in this matter. I know we are drifting
> in to territory that would be more appropriate in a debian-users
> mailing list.
yeah, we're probably off-topic here by now. hopefully these general
outlines are useful to others reading the list or the archives, though.
More information about the Gnupg-users